Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Alexa Eavesdropping Flub Re-Sparks Voice Assistant Privacy Debate

After an Alexa speaker recorded and shared a private conversation, the tech community is casting a wary eye on voice assistant privacy issues.

After an Alexa-enabled Echo device recorded and shared a private conversation of its unknowing owners, the tech industry – and the public – is casting a wary eye on voice assistant privacy issues.

On Thursday, news emerged that a Portland family’s Echo device had recorded a conversation of them – without them knowing – and then sent an audio file to one of their contacts.

The impacted couple, whose last name was not reported and who said the incident occurred two weeks ago, told news station KIRO 7 that they realized they were being recorded when the contact who received the file called them to say she received an uncanny voice recording. The couple then called Amazon and notified the tech company about the incident.

Amazon has confirmed the error and offered an explanation of what happened in an emailed statement to Threatpost:

“Echo woke up due to a word in background conversation sounding like “Alexa.” “Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.”

Similar to many others with Alexa-controlled home assistants, the Portland family’s home was wired with Internet of Things-connected Amazon devices to control the house’s heat, lights and security system. The family said that they disconnected everything after the incident.

Many in the tech industry see the incident as yet another example of just how easy it is for Alexa – and other voice assistants – to expose consumers’ private conversations and lives within their homes.

“It is not clear if this was simply a software flaw or a malicious attack, but it is a stark wake-up call nonetheless,” Andreas Kuehlmann, senior vice president and general manager at Synopsys said, in an email. “The reports that a popular voice assistant unexpectedly recorded a personal conversation and leaked information to a third party should be a reminder of the potential security and privacy risks of our… always-connected world.”

Amazon has been under heightened scrutiny before when it comes to privacy issues: In May, a team of researchers found that it is possible to closely mimic legitimate voice commands in order to carry out suspicious actions. In April, Checkmarx researchers launched a malicious proof-of-concept Amazon Echo Skill to show how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices and automatically transcribe every word said.

But this month’s incident shows that even if a team of researchers aren’t actively looking for vulnerabilities, glitches still exist within smart voice assistants that can potentially lead to a breach of privacy.

“Security and privacy continues to be an issue for these new connected devices… with hackers looking to target these new devices, this is a reminder of the privacy risks that exist for users, at home and at work,” Nadir Izrael, CTO of Armis, said in an emailed comment.

Privacy issues aren’t just limited to Alexa. Last year, researchers devised a proof of concept that gives potentially harmful instructions to popular voice assistants like Siri, Google, Cortana, and Alexa using ultrasonic frequencies instead of voice commands.

Amazon said in the statement that “as unlikely as this string of events is, we are evaluating options to make this case even less likely.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.